Forgot your password?
typodupeerror
IOS Security Communications Encryption Iphone Privacy Apple

Private Data On iOS Devices Not So Private After All 101

Posted by timothy
from the it's-totally-intuitive dept.
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.
This discussion has been archived. No new comments can be posted.

Private Data On iOS Devices Not So Private After All

Comments Filter:
  • Stallman was right (Score:5, Insightful)

    by jabberw0k (62554) on Saturday July 26, 2014 @09:29AM (#47538223) Homepage Journal

    These so-called "smart telephones" aren't telephones at all; they are computers. Computers that you cannot control. And if you aren't, who is?

    Some folks thought Richard Stallman was crazy for saying no-one should run software or use hardware that is based on clandestine (proprietary, hidden) knowledge. This latest revelation is just one reason he was right all along.

    • by Anonymous Coward on Saturday July 26, 2014 @09:45AM (#47538291)

      Fortunately, if someone wants a "smartphone" that is under full control of the user, there are a few choices: Openmoko Neo Freerunner, OpenPhoenux GTA04 or latest device in development - Neo900 ( http://neo900.org/ )

      The last one even goes further and implements monitoring over some unavoidably closed parts, like GSM modem (and all of them have proper modem isolation, so the modem cannot access the main RAM, possibly rendering any software encryption moot like on most of recent mainstream smartphones)

      • by antdude (79039)

        Sure, but what about the service part. How do we know what happens to the data that goes in and out of these phones? Can we encrypt from our phones to the other end like voice communications, textings, etc.?

    • by Wovel (964431)

      Let's not go off the deep end. Stallman is a lunatic...

    • Stallman is crazy. Even crazy people can be right about a few things here and there, but overall he's a zealot. The jokes goes "even a stopped watch is right a couple times a day - though you need a second working watch to see when."

      The Hurd has been under development since 1983. Three decades, and still not a stable version [gnu.org]? When he started the HURD we didn't have the web, nor the Internet. If we waited for Stallman to actually ship, we would have lost out on a lot (both good and bad, but mostly good).

      Th

  • it's the future (Score:3, Insightful)

    by Anonymous Coward on Saturday July 26, 2014 @09:32AM (#47538235)

    The more we buy devices whose master is someone else, the more things of this very nature will become a problem.

    Do not buy devices that you do not control after you buy them. You must be able to run any kernel and any userspace you want, you must be able to control the machine top to bottom. If you give this up in exchange for convenience, then you will be taken advantage of by companies that don't have your interests at heart.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You got modded down by Apple fans for telling the truth.

    • by dos1 (2950945)

      True words. Sadly, people consider things that are trendy or have more raw power as more valuable, even if they don't really need that. When someone actually comes up with the device that you can control (instead of it controlling you), all he hears is "meh, too slow", "too expensive", "no capacitive screen? are you joking?"

      You would expect people to be more sensible than that, especially in the post-Snowden era.

      • by HiThere (15173)

        Unfortunately, no, I wouldn't "expect people to be more sensible than that, especially in the post-Snowden era", even though this actually isn't the post-Snowden era. He's still around, and still occasionally releasing new tid-bits.

        I normally expect people to be short-sighted, and to have little memory of history. I regret that I'm rarely disappointed.

  • So... (Score:5, Insightful)

    by Sqr(twg) (2126054) on Saturday July 26, 2014 @09:38AM (#47538263)

    If you store sensitive stuff on your iPhone, don't make backups from it onto an insecure/unencrypted computer.

    And if you were making backups from anything secure onto anything insecure, it is time to revise your security policy.

  • Article got it wrong (Score:5, Informative)

    by strredwolf (532) on Saturday July 26, 2014 @09:48AM (#47538297) Homepage Journal

    Almost all the reports are getting the gist of the paper wrong -- any press summation that doesn't go into the paper to understand it will get it wrong. The paper goes into deep detail that Apple has several services that, while protected by several layers of security that could be bypassed, can transfer data in the clear. There are also several services that don't have any obvious connecting software.

    It's a rather deep hacker-style dive into iOS.

    A good video about this is by TWiT Network. At http://twit.tv/sn465 [twit.tv] Security Now ep 465 has expert Steve Gibson explain the actual paper.

    • by Anonymous Coward

      You lost me when you said "expert Steve Gibson". If by "expert" you mean "shameless selfpromoting security wannabe", then OK.

      • by c0d3g33k (102699)

        You lost me when you said "expert Steve Gibson". If by "expert" you mean "shameless selfpromoting security wannabe", then OK.

        No. These are examples of shameless, self-promoting wannabes:

        https://en.wikipedia.org/wiki/... [wikipedia.org]
        https://en.wikipedia.org/wiki/... [wikipedia.org]

        Steve Gibson at least provides genuinely useful information most of the time and from what I can see does a decent job of teaching non-technical folks to understand and implement good security practices. He's a little hard to take in large doses when I've seen him on This Week in Tech and his website hurts my eyes, but I wouldn't paint him with such a broad brush. He doesn't seem

    • Hmm, like the AC joke below, I'm a bit torn when you said "Security Expert" for Steve Gibson. Aside from prodigious self promotion, as far as actual security talent, Steve's both good and bad. I may listen to this one, because this one is more in his wheelhouse - specifically describe in easier terms a complicated subject previously researched and digested by someone else.

      He's much less useful when making declarations of what to do - he's too enamored of assembly (which can lead to more security holes - the

  • by Anonymous Coward

    The "researcher" and Reuters forgot to clearly call out that for the information to be extracted with the developer tools an iOS device must be trusted. Trust is established by plugging the device into a computer and the device MUST be unlocked.

    This is akin to giving someone you don't trust a key to your house.

    • by HiThere (15173)

      Trusted by whom? I don't think there's any requirement that the purchaser of the device trust the "trusted" data extractor. IIUC it could become trusted before the customer ever received the device, or anytime it's in for service.

      So this *probably* means that J. Random Hacker can't access the information. If the assertion is true. It doesn't say anything about Apple, their employees, or anyone they share information with...transitivly.

      • by gnasher719 (869701) on Saturday July 26, 2014 @04:42PM (#47540147)

        Trusted by whom? I don't think there's any requirement that the purchaser of the device trust the "trusted" data extractor. IIUC it could become trusted before the customer ever received the device, or anytime it's in for service.

        Step 1: Plug iOS device into a Mac.
        Step 2: Unlock iOS device.
        Step 3: Click on YES when the iOS device asks if it should trust the computer.

        The critical part is Step 2, which you can only perform if you know how to unlock the device. In other words, if you know the passcode. But if you know the passcode, then you can do _anything_ with the phone. That's what the passcode is there for.

        So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

        • by Fnord666 (889225)

          So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

          This security "expert" [zdziarski.com] has a very solid background and street cred in the field of iOS forensics so I would not dismiss him so lightly.

          • by Wovel (964431)

            I am not sure he was really dismissing him, just clarifying what he actually did with a useful analogy. I would not dismiss the GP so easily. He may not have the same background, but he is right. Right trumps background every time....

  • FUD (Score:3, Informative)

    by Anonymous Coward on Saturday July 26, 2014 @10:02AM (#47538371)

    The it only works with a trusted device AND the device being unlocked.

    If you gave your device PIN to someone, they already have your data and don't need to do this.

    • by kthreadd (1558445)

      It's still a problem if users don't know about it and has no way to disable it.

  • Due to the great advances in technology and the continuing reduction in cost of these technologies, what were previously "dumb" devices are now extremely sophisticated computers doing specialized tasks but they are not limited to these specialized task or to being used in the manner they were conceived for. As such almost all modern device from cameras to mp3 players can be re-purposed as digital "snitches". This is often true even if the device was not design or envisioned to so from the beginning or had c
    • If you're doing something incriminating don't use paper either. Governments have spent literally centuries figuring out how to make a piece of paper spill it's secrets.

      At this point expecting the government not to be able to get it's hands on your data if it really wants to is pretty damn naive. Folks who think that are like the mid-17th century folks who tried to skimp on telling the King their last names. They could make it work for the first few decades, but eventually the bureaucracy figured out the tec

  • by Anonymous Coward

    Already debunked.

    Irresponsible post.

  • Apple's Admission? (Score:4, Informative)

    by Anonymous Coward on Saturday July 26, 2014 @10:24AM (#47538449)

    When did Apple admit to anything? They said the researcher was wrong and described the settings that he found and what they are used for! I would trust Apple over Google any day! Eric Schmidt has lied so many times along with his colleagues that the whole company isn't trustful!

    http://support.apple.com/kb/HT6331

    http://www.macrumors.com/2014/07/22/apple-ios-backdoors-support-document/

  • Nothing new here (Score:4, Informative)

    by maccodemonkey (1438585) on Saturday July 26, 2014 @12:11PM (#47538929)

    iPhones have always been able to sync data out of their secure storage to the user's computer since launch. How did people think USB sync worked? Magical leprechauns that flew out of your phone carrying the data?

    Heck, one of these is the developer daemon that runs on the phone to install apps from Xcode. Again, how exactly did people think Xcode did that?

    These tools all require the phone be logged in, and that the right key exchange take place.

    I can't tell if the "security researcher" here is just trolling, has never actually used an iPhone, it is just stupid.

  • BlackBerry... (Score:5, Interesting)

    by Rigel47 (2991727) on Saturday July 26, 2014 @01:13PM (#47539257)
    and yet /. folk cheer on the demise of BlackBerry.. the one phone that has a near flawless security record.

    and yes, full disclosure, I own a z10. I also find it to be the best smart phone I've ever owned with battery life that my android friends can only dream about.
    • by phorm (591458)

      I own a Z10 as well. Not sure what you're raving about battery-wise. It will (barely) survive a weekend with basically no use, which is better than other phones but still not saying much.

    • by Wovel (964431)

      Blackberry, the company that routinely gives access to customer's "secure" data to governments all over the world without the customer doing anything at all. Are you high? You must be high if you purchased a z10.

  • by Anonymous Coward

    Yeah, you know me! Why trust Other People's Encryption? If you encrypt data yourself, you control who can decrypt it - unless all crypto algorithms are compromised. When Google or Apple encrypt on your behalf, you don't really know what they're doing.

Many people are unenthusiastic about their work.

Working...